AWS Direct Connect provides two types of virtual interfaces: public and private. How do I select which one to use to connect to different resources (public or private) in AWS?

Public Virtual Interface

To connect to AWS public endpoints, such as an Amazon Elastic Compute Cloud (Amazon EC2) or Amazon Simple Storage Service (Amazon S3), with dedicated network performance, use a public virtual interface.

A public virtual interface allows you to connect to all AWS public IP spaces globally. Direct Connect customers in any Direct Connect location can create public virtual interfaces to receive Amazon’s global IP routes, and they can access publicly routable Amazon services in any AWS Regions (except the AWS China Region).

Private Virtual Interface

To connect to private services, such as an Amazon Virtual Private Cloud (Amazon VPC), with dedicated network performance, use a private virtual interface.

A private virtual interface allows you to connect to your VPC resources (for example, EC2 instances, load balancers, RDS DB instances, etc.) on your private IP address or endpoint. A private virtual interface can connect to a Direct Connect gateway, which can be associated with one or more virtual private gateways in any AWS Regions (except the AWS China Region). A virtual private gateway is associated with a single VPC, so you can connect to multiple VPCs in any AWS Regions (except the AWS China Region) using a private virtual interface. For a private virtual interface, AWS only advertises the entire VPC CIDR over the Border Gateway Protocol (BGP) neighbor.

Note: AWS cannot advertise or suppress specific subnet blocks in the VPC for a private virtual interface.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-11-28

Updated: 2017-01-03